At present, data security is very important in the Internet era, so many people will pay attention to whether the URL they use is HTTPS, think that as long as it is HTTPS, encrypted website others will not know. Do not leave the application software at random, otherwise the website access records and other information may be leaked.
So, if you visit HTTPS sites on a daily basis, will no one know? Using an App to access an anonymous forum is also an HTTPS url, will others know? If both conditions are read by others, by what means does the other person apply them?
Today xiaobian from the following aspects to share with you:
HTTPS security reasons.
Authenticity of HTTPS security?
How does App keep information safe from being crawled away?
What should be the means of monitoring? What should be done?
HTTPS Security causes HTTPS
TLS, also known as HTTP over TLS, is the predecessor of SSL and has several versions.
Data integrity: The content transfer has been verified for integrity
Data privacy: The content is symmetrically encrypted, with each connection generating a unique encryption key
Identity authentication: A third party cannot forge a server (client) identity
https
There is a handshake process, which basically means that the client and the server negotiate a mutually supported encryption algorithm and corresponding random parameters through “handshake talks” to obtain a pair of keys, and the subsequent transmission content is encrypted and decrypted through this pair of keys. Interested parties can use WireShark to capture packets and see each step in detail to help them understand the full HTTPS process.
Therefore, when HTTPS is used to access a website, even if traffic is intercepted and monitored, the obtained information is encrypted and the substantive content is invisible.
HTTPS has one important thing in the handshake phase – certificates.
SNI — Domain name streaking
When accessing an HTTPS site, an SSL connection is established with the server, and the first step is to request the server’s certificate.
When a Server IP address corresponds to only one domain name (site), it is convenient for any client to return the certificate corresponding to the domain name (service) without thinking. But IP address (IPv4) is limited ah, multiple domain name reuse the same IP address how to do?
When sending a certificate, the server does not know which domain name the browser accesses. Therefore, the server cannot send different certificates based on different domain names.
So the TLS protocol has been updated to include SNI, an SSL/TLS extension that allows a Server to use multiple domain names and certificates.
It works by sending the Hostname of the site to be visited before establishing an SSL connection with the server, and the server will return an appropriate certificate based on this domain name. At this time there is no way to encrypt and decrypt, so at least this domain name is naked.
Therefore, even with HTTPS, the accessed domain name information is in nude state. When you visit a small movie site at work, you leave a trail, and if you access the company’s network, you’ll be caught.
In addition to the domain name is naked, there is a more serious risk, that is man-in-the-middle attack.
Man-in-the-middle attack
As mentioned earlier, the key to HTTPS is the certificate. As can be seen from the name, man-in-the-middle attack means that there is an “intermediary” between the client and the server. The “intermediary” disguises the other party between the client and the server, as shown in the following figure. This “MitmProxy” acts as a middleman to deceive each other:
Try a package capture program like MitmProxy or Fiddler and start the proxy.
At this time, use mobile phone to visit Baidu, and get the following information:
Note, the connection is not private connection, in fact, the browser recognized the certificate is not right, no trust. If Fiddler’s certificate is installed on the phone, it will work.
So when you trust the certificate, it’s all in front of the middleman.
If you use a company computer, do you have a certificate of trust, or do you have a similar client software installed on your phone?
Take a look at the phone’s certificate installation details.
How to prevent information security, anti – crawl
As mentioned earlier, the key to a man-in-the-middle attack is whether the certificate is trusted. The browser’s behavior is that the certificate allows the user to authorize trust, and the APP can be controlled by the developer.
For example, I tried to capture and decrypt HTTPS in an anonymous community in a similar way, but failed. Why?
This leads to ‘SSL Pinning’ technology.
The App can verify for itself that the certificate returned by the server during the SSL handshake is legitimate. ‘SSL pinning’ technology means that only fixed certificates or public keys are trusted in the App.
During the handshake phase, the server certificate must be returned to the client. If the client stores the server certificate to the local server during the handshake verification process, the certificate returned by the server is the same as the local built-in certificate, and then initiates a network request. Otherwise, disconnect the connection and become unavailable.
Of course, this technique usually prevents HTTPS messages from being decrypted.
However, there are other techniques that can beat this approach, such as Android hooks that bypass the logic of local certificate strong verification. Those of you who are interested can study it for learning purposes. However, it is said that this method requires the system to Root, jailbreak, etc., requires some higher permission Settings.
Therefore, also warned us, must not be disorderly installation of some software, a little attention may be recruited, let yourself streaking on the Internet. On the one hand, personal privacy information may be leaked, on the other hand, some very important accounts such as passwords may also be stolen.
What are the possible means of surveillance?
Of course, your office computer has to be connected to the company network, and you should know that the company knows exactly what websites you visit and when.
It is the same if your mobile phone is connected to the company network (even Agent software does not need to be installed). This reminds us that personal Internet use their own mobile network as much as possible.
As mentioned above, if some sensitive information involving privacy, such as some PC software, mobile phone App internal encryption transmission, content encryption (including but not limited to HTTPS) can not be cracked, it is not a problem.
However, this of course depends on the quality of the software designers. For example, the same anonymous user cannot display the same ID to the public, which also exposes a logical loophole.
Of course, we still do not have a fluke psychology, under the requirements of supervision, if there is indeed some illegal and inappropriate speech, etc., there is always a way to find you.
What’s more, the average office computer will be pre-installed with some corporate security software, as for what the software actually does, whether or not to do the legendary stealthily screenshots of what, this will vary from person to company. (Do not discuss whether similar behaviors violate employees’ privacy and other issues)
But personally, I don’t think we need to worry too much. The general company also won’t because you go to work occasionally touch fish, browse Taobao, look at micro blog to find you trouble. After all, there is no need to make a big fuss over such a trivial matter.
But isn’t it a good idea to check the employee handbook to see if there’s anything specifically prohibited? His behavior is not too much, in order to avoid being caught, is the so-called “often walking in the river where there are no wet shoes”, “he who has a mind to beat his dog will easily find a excuse”.
Stone talent, the article is unavoidably omissions, if there are corresponding problems, but also hope you give advice. Finally, I wish you all a lifetime not to fall into a pit because of this kind of thing.
Afterword.
This article focuses on the knowledge of HTTPS (man-in-the-middle attack, SNI, etc.), which has been exposed in the domain name resolution stage.
Before making a request for a domain name, the company needs to know the IP address of the domain name and access the DNS server. The company only needs to specify the DNS server on the network, intercept unencrypted DNS packets, and learn about the situation in minutes.
Here I quote the comments of some readers after the article was issued by the public account. I feel that I have gained something and hereby add the following:
In addition to HTTPS, don’t forget secure DNS, DoH(DNS over HTTPS) or DoT(DNS over TLS).
At present, it is better to set up the DNS server of DoH by yourself. After connecting to the network, set the DNS server as your server IP. Native Android even provides “private DNS” option in the Settings.
Of course, if you can also run a proxy service, the aforementioned SNI leak access domain name problem also solved together. Packet capture only reveals that you have been accessing your own server. To be more realistic, you can even build a Web server on top of your server and put some content on it, so that even if someone traces the IP, they can open it as normal